Oracle to SQL Violation of PRIMARY KEY constraint. During full load, table is suspended due to Primary Key Violation.

[TARGET_LOAD     ]E:  RetCode: SQL_SUCCESS  SqlState: 23000 NativeError: 2627 Message: [Microsoft][ODBC Driver 18 for SQL Server][SQL Server]Violation of PRIMARY KEY constraint 'SERVICE_SYS_C001817631'. Cannot insert duplicate key in object 'dbo.SERVICE'. The duplicate key value is (G2190)

00010944: 2025-06-16T10:35:15 [TASK_MANAGER    ]W:  Table 'dbo'.'SERVICE' (subtask 1 thread 1) is suspended. RetCode: SQL_SUCCESS  SqlState: 23000 NativeError: 2627 Message: [Microsoft][ODBC Driver 18 for SQL Server][SQL Server]Violation of PRIMARY KEY constraint 'SERVICE_SYS_C001817631'. Cannot insert duplicate key in object 'dbo.SERVICE'. The duplicate key value is (G2190).; Failed to commit 10000 rows to target 'dbo.SERVICE'  (replicationtask.c:3239)

Resolution

This could be a classic capitalization issue between Oracle source to SQL target

Example

CREATE TABLE adam.products (
product_sku VARCHAR2(50) NOT NULL,
product_name VARCHAR2(255) NOT NULL,
price NUMBER(10, 2),
CONSTRAINT products_pk PRIMARY KEY (product_sku)
);

Then insert 2 identical records except for their capitalizations:

• Insert the first row with a lowercase PK.

  INSERT INTO adam.products (product_sku, product_name, price)
  VALUES ('key-logi-mx-m', 'Logitech MX Keys Mechanical (lowercase sku)', 169.00);

• Insert the second row with an uppercase PK
• This is also a simple, standard insert. It will success.
  

  INSERT INTO adam.products (product_sku, product_name, price)
  VALUES ('KEY-LOGI-MX-M', 'Logitech MX Keys Mechanical (UPPERCASE SKU)', 169.00);

Now, since Oracle is case-sensitive and the default installation of SQL Server is case-insensitive, it is a duplicate in SQL.

RetCode: SQL_SUCCESS SqlState: 23000 NativeError: 2627 Message: [Microsoft][ODBC Driver 18 for SQL Server][SQL Server]Violation of PRIMARY KEY constraint 'PRODUCTS_PRODUCTS_PK'. Cannot insert duplicate key in object 'ADAM.PRODUCTS'. The duplicate key value is (KEY-LOGI-MX-M). [1022510] (sqlserver_endpoint_imp.c:5764)

Cause

It is changeable, by ALTER table on target.

ALTER TABLE ADAM.Products
ALTER COLUMN product_sku VARCHAR(50) COLLATE Latin1_General_CS_AS NOT NULL;

For Replicate , you would have to:

1. ALTER table on SQL target.
2. Set task to truncate on full load.
3. Reload table.

Environment

Qlik Replicate 

Unable to login to Talend Administration Center(TAC) and getting the error after providing the credentials:

"SSO prevent direct login from windows Please login by identity provider system"

Resolution

1. Check if you are not enabled SSO and have accidentally turned it on.
2. If yes for point #1, then please try to get into TAC using the emergency SSO user: defining-emergency-user-for-talend and then manually set SSO to false in the Configuration setting of TAC.
3. If for some reason the emergency SSO user fails, then please try to modify the database configuration table to set to false and restart TAC. 
   Below are the steps to do the same
   • Go to the TAC database and find table "configuration" then set

     sso.field.useSSOLogin=false

   • Restart the TAC server

Ensure you take a backup of the table and also are using correct credential details.

Cause

Accidentally turn on SSO login or might be DB table corruption.

Environment

Talend Administration Center 8.0.1

Stitch only offers account consolidation at the billing level.

If you have multiple Stitch accounts, you can reach out to the Sales team to help you consolidate your accounts so that you only get billed once for all accounts.

However, the accounts themselves cannot be merged, i.e., integrations and destinations setup in one account cannot be migrated to another. If you prefer to avoid managing multiple accounts, you will need to setup your workflows in your preferred account, and this will include historical loads for newly setup integrations.

Please note that Stitch offers a 7-day exemption for newly named integrations. This implies that if you setup an integration with a schema name that was not previously used in the account, it will be regarded as a new integration. Schema names are verified against individual Stitch accounts only.

If you intend to manage multiple Stitch accounts and need to add the same team members in each account, please use the naming convention outlined here to add new members.

Environment

• Stitch 

When opening the Qlik Sense hub, the following error is displayed: 

Error requesting "https://_:4242/qrs/license/" - Error: tunneling socket could not be established, cause=getaddrinfo ENOTFOUND 80808080:80



However, the Qlik Sense logs are relatively clean during this time.

Only log files in C:\ProgramData\Qlik\Sense\Log\HubService shows the same message repeatedly:

6    20180409T133219.753+1000    ServerName    0.15.8    Global    INFO    Requesting GET https://ServerName:4242/qrs/license/, referrer /license/
7    20180409T133222.053+1000    ServerName    0.15.8    Global    ERROR     [ Error requesting GET https://ServerName:4242/qrs/license/ ] - Error: tunneling socket could not be established, cause=getaddrinfo ENOTFOUND 8080 8080:80
 

Cause:

Proxy Service is accessing Repository Service via URL https://ServerName:4242.

This connection respects the Proxy Settings in Environment Variables. Any limitations caused by the environment proxy settings will prevent service communication.

Resolution:

1. Run the batch file in Windows Commands To Retrieve Environment Information on Qlik Sense servers that are running Proxy.exe
2. Inspect "Environment Variable" section in the result files.
3. Find out whether following variables exist:
   • HTTPS_PROXY
   • HTTP_PROXY
4. If they do, contact Windows Administrator and remove them. Restart the server.

Important: There might be settings automatically add these variables back to the server after a restart or certain time period. Should that happen please contact Windows Administrator to resolve.

1. Access the System Properties in Control Panel > All Control Panel Items > System
2. Advanced system settings 
3. Under “Advanced” tab > Environment Variables 
4. Under system variables tab delete: “HTTPS Proxy” & “HTTP Proxy” 
5. Restart the server

Qlik NPrinting tasks appear to run but are stuck on the same percentage.

Qlik NPrinting can work for days or even weeks, completing tasks correctly. Suddenly, all task stops at different levels of execution. New tasks start, but stay on 0%.

Idle sessions have already been removed by applying How to remove the Idle Connections from Nprinting Related processes.

This error message is shown in the rabbit logs in C:\ProgramData\NPrinting\RabbitMQ for a default installation:

{{badmatch,{error,eacces}}

Qlik NPrinting is installed on a Windows 2019 server, and the version of Qlik NPrinting works with RabbitMQ 4 or higher (see the system requirements page to identify your Qlik NPrinting track).

Environment

• Qlik NPrinting all versions

Resolution

Restarting all Qlik NPrinting and Qlik Sense services can temporarily resolve the problem.

It is possible to mitigate the problem by installing the latest release of Qlik NPrinting, but this is still not a full solution, as the same issue may repeat due to a defect in Windows Server 2019.

A complete solution is to upgrade the operating system where Qlik NPrinting is installed to a higher version.

Cause

The problem is caused by specific updates affecting Windows file system components in Windows Server 2019 that occasionally prevent system access for our messaging service.

Qlik Sense Search Folder is growing in size.

Smart search is the global search tool in Qlik Sense, enabling you to search the entire data set in your app from any sheet in the app. See Using Smart Search on the official Qlik Online Help for details. 

This search is indexed to disk at %Share%/Apps/Search.

As time goes on, the index grows and commits more disk space. 
 

Environment: 

Resolution:

The contents of the Qlik Sense Search folders can be deleted to free up disk space. The content pertains to App ID's, so it would be best to remove those which are not often used. The only effect this would have is increasing the amount of time needed to complete a Smart Search for this same App in the future.

Qlik Sense can also be configured to purge the Search Folder on a schedule. The setting will need to be applied in the settings.ini of either the Qlik Sense Enterprise Server or the Qlik Sense Desktop. For information on how to edit the settings.ini file, reference How to modify Qlik Sense Engine's Settings.ini.
 

Name

ServerPurgeSearchIndexFileInterval

Default Value

3600

Description

• -1 the search index folder is never purged.
• 0 or negative (except -1), the purge happens constantly.
• strictly positive value, the search index folder is purged each ServerPurgeSearchIndexFileInterval seconds.

The purge system removes the unused search index files. In addition, it removes the oldest used search index files until the search index folder is smaller than ServerSearchIndexFileDirectoryMaximumSizeInMBytes.

Name

ServerSearchIndexFileDirectoryMaximumSizeInMBytes

Default Value

-1

Description

Maximum size of the search index directory in megabytes. During the periodic purge, old indexes are removed until the total size of index files is below this threshold. If negative, do not limit the size of the directory.

Make sure to add both parameters mentioned above into the settings.ini, the cleaning will happen at the specified intervall but only after the size limit is reached.

You may encounter an error : 400 - Invalid SNI when calling Talend Runtime API (Job as service) after installed 2025-02 patch or later. In the past before the patch version R2025-02 of Talend Runtime Server, it did work well when using the same certificate for SSL connection with Talend Runtime Server and did not cause any issue. 

The SNI validation is active after 2025-02 patch or later.

Resolution

There are three options to slove this issue

1. Obtain and install a proper certificate that references the correct host name and then access it with the hostname rather than by IP.
2. Disable SNI host check.
3. Tell Talend component to resolve IP as hostname

Disable SNI Host Check

This has the same security risk as jetty before it was updated (low security)

In <RuntimeInstallationFolder>/etc/org.ops4j.pax.web.cfg file, please add

jetty.ssl.sniRequired=false

and 

jetty.ssl.sniHostCheck=false

Or configuring these jetty parameters in <RuntimeInstallationFolder>/etc/jetty.xml or jetty-ssl.xml file

• Find the <New class="org.eclipse.jetty.server.SecureRequestCustomizer"> block in your jetty.xml or jetty-ssl.xml 
  
  
• Edit the <Arg name="sniRequired" ...> and <Arg name="sniHostCheck" ...> lines so that the properties' defaults are set to false as shown below:
  
  

  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
  <Arg><Ref refid="httpConfig"/></Arg>
  <Call name="addCustomizer">
  <Arg>
  <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
  <Arg name="sniRequired" type="boolean">
  <Property name="jetty.ssl.sniRequired" default="false"/>
  </Arg>
  <Arg name="sniHostCheck" type="boolean">
  <Property name="jetty.ssl.sniHostCheck" default="false"/>
  </Arg>
  <Arg name="stsMaxAgeSeconds" type="int">
  <Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/>
  </Arg>
  <Arg name="stsIncludeSubdomains" type="boolean">
  <Property name="jetty.ssl.stsIncludeSubdomains" default="false"/>
  </Arg>
  </New>
  </Arg>
  </Call>
  </New>

  

Resolve IP to Hostname

If the certification includes the domain name, you should use that domain name instead of the IP with the Jetty security updates in Talend Runtime Server.

But if your DNS server does not resolve the IP, you must call it by the IP address, so please check it at first to see if the workaround is feasible for your current situation.

In the examples the hostname is unresolvedhost.net and the IP is 10.20.30.40.

Try this API call at the command line:

curl -k -X GET --resolve unresolvedhost.net:9001:10.20.30.40 https://unresolvedhost.net:9001/services/

or

curl -k -X GET -H "Host: unresolvedhost.net" https://10.20.30.20:9001/services/

If this works, in your Talend component that makes the API call, go to "Advanced settings" or "Headers" table, add a row with Key: Host and Value: The hostname that matches your SSL certificate (e.g. unresolvedhost.net)

This will instruct Talend to send the correct Host header, which most HTTP clients (including Java's HttpClient) will also use as the SNI value during the TLS handshake.
 

Cause

The SNI enforcement is there for a security reason. With the 2025-02 patch, the Jetty components on Talend Runtime Server resolved a CVE security issue where they allowed a hostname to connect to a server that doesn't match the hostname in the server's TLS certificate.

Certificates require the URI not to be localhost or an IP address, and to have at least one dot, so a fully qualified domain name is best.

Related Content 

 https://stackoverflow.com/questions/69945173/org-eclipse-jetty-http-badmessageexception-400-invalid-sni

Environment

Talend ESB 

A third-party certificate was configured in the Qlik Sense Proxy, but is not being used.

The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access. 

Qlik Sense Enterprise on Windows uses self-signed and self-generated certificates to protect communication between services, as well as user web traffic to the hub and management console.  It is possible to use a third-party-issued SSL certificate to protect client web traffic. Using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer). 

If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:

Example:  C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt

No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE]) Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE] Reverting to default Qlik Sense SSLCertificate Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser

Resolution:

In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:

Note: Root and Intermediate CA certificates need to be correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.

Certificates that are known to work well with Qlik Sense have the following attributes:

• Certificates that are x509 version 3. More information including filename extensions under https://en.wikipedia.org/wiki/X.509 
• Use signature algorithm sha256RSA
• Use signature hash algorithm sha256
• Signed by a valid, and OS/browser configured , CA
• Are valid according to date restrictions (valid from/valid to)
• Key in format CryptoAPI (not in CNG)
• The certificate itself has to contain private key no matter what Qlik Sense version.

 Related Content:

How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate 

 

When upgrading to Qlik Talend Studio R2025-06v3 or later tSnowflakeRow with Snowflake-jdbc-driver-3.22.0 that uses the function LAST_QUERY_ID() in command always returns “Alter session set JDBC_USE_SESSION_TIMEZONE=false” instead of the the correct query id（query id last query ran）as a result. 

Resolution

To have LAST_QUERY_ID() return the last query and not the alter session query, it is required to modify the command to use LAST_QUERY_ID(-2).

For example: 

Select query used in tSnowflakeRow component

 "SELECT LAST_QUERY_ID() as LAST_QUERY_ID(-2);"

Cause 

In Studio R2024-04, a new checkbox "Use Session Timezone" was added to the tSnowflakeInput and tSnowflakeRow components. The default value is unchecked (Alter session set JDBC_USE_SESSION_TIMEZONE=false) to avoid Snowflake regression issue Incorrect timezone handling for java.sql.Time, However this does bring the side effect of snowflake functions like LAST_QUERY_ID() returning the wrong value.

Related Content

2025-04-studio-known-issues for 'Use Session Timezone' option in the Snowflake components

Environment

Talend Data Integration 

Creating a Qlik Sense Client-Managed connection | Migration Center Help documents all steps needed to create a Qlik Sense Client-Managed connection to the Qlik Analytics Migration Tool.

As a part of the System Requirements (System requirements | Migration Center Help), Qlik advises that the Qlik Sense Proxy service must have a valid third-party certificate.

This article explains the process to follow if no third-party certificate is available; for example, when setting up a test connection in your UAT or test environment. For this example, we will be using the self-signed certificate used by Qlik Sense. 

Securing the connection

The first challenge we need to overcome is the Not Secure alert when accessing Qlik Sense:

1. Run certlm.msc with elevated permissions (as Administrator)
   
   
   
   
2. Select Trusted Root Certification Authorities > Certificates > All Tasks > Import
   
   
   
   
3. Click Next
4. Select All Files and choose the root.pem stored in  C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates
   
   
   
   
5. Click Open and follow the onscreen instructions; when prompted for the Certificate Store choose the Trusted Root Certificate Authorities storage location
   
   
   
   
6. Confirm the CA cert was installed by refreshing the Trusted Root Certificate Authorities > Certificates list:
   
   
   
   
   
7. Close CertML and open https:// YOUR-HOST.domain.local/hub to confirm the connection is now displayed as Secured:
   
   
   
   

Connecting to the Qlik Analytics Migration Tool

Creating a Qlik Sense Client-Managed connection | Migration Center Help

To establish a connection to the Qlik Analytics Migration Tool in this example, we will be using Method 2 of the recommended steps: Create a virtual proxy using the tool | help.qlik.com.

1. In the Qlik Analytics Migration Tool, navigate to the Connections tab and select Qlik Sense Client-Managed
2. Click Create New
3. Switch to the Virtual Proxy Setup tab
4. In the Qlik Server URL field, enter the login URL of the Qlik Sense Client-Managed environment
5. Click Login to Qlik
   
   
   
   
6. After logging in, open your web browser's Developer Tools (F12 or fn + F12)
7. Go to the Application tab, expand Cookies, then select the Qlik Sense domain and copy the Cookie Name and Cookie Value
   
   
   
   
   
8. Paste the values into the Session Cookie fields in the Virtual Proxy Setup – Guide
9. Click Retrieve users and proxies from Qlik and confirm the message
   
   
   
   
10. In the Select Service User dropdown, select a RootAdmin user to associate with the virtual proxy
11. In the Select Proxy Service dropdown, select the proxy service (typically Central)
12. Optionally, set a Virtual Proxy Name (no spaces allowed)
13. Click Create Virtual Proxy
14. After proxy creation, a JWT token will be displayed (optional to save)
15. Click Go to Connection Setup 
    
    
    
    
16. Click Test Connection to validate the setup
17. Click Create Connection
18. A confirmation message will appear, and the connection will be added to the list
19. This step creates a Qlik Sense Converter connection

Environment

• Qlik Cloud Migration Tool
• Qlik Sense Enterprise on Windows
• Qlik Cloud Analytics

Is it possible to migrate users and data connections from one Qlik Cloud Analytics tenant to another?

You cannot migrate users and data connections from an existing tenant to a newly purchased tenant.

The following will need to be done:

• All data connections must be recreated
• Apps and scripts in the new tenant need to have their data connections updated to reference the new connections
• For users, it will be necessary to send new invitations or configure your identity provider to manage access to your new Qlik Cloud tenant

What about apps and scripts?

Apps can be migrated from one tenant to another using the following Qlik CLI automation: Migrate apps between Qlik Cloud tenants 

This tutorial is not exhaustive, and does not migrate other resources such as spaces, automations, data alerts, subscriptions, notes, etc. Qlik offers solutions via Qlik Professional Services for complete tenant to tenant migrations.

For scripts, follow the process of exporting them manually from the old tenant and then importing them to the new tenant. See Exporting scripts.

To make the process easier for you, Qlik's customer support team can link the newly purchased tenant license to a trial tenant, and you can continue to use the trial tenant. The trial tenant will be updated to a Standard, Premium, or Enterprise version after linking the license (depending on which package was purchased).

Do you need iterative planning and support assistance?

If you're looking to perform a manual transfer but need assistance with iterative planning or direct engagement by Qlik, our Professional Services are ready to assist.

Additional References

• Exporting apps | help.qlik.com 
• How to export QVD files from a Qlik Cloud Tenant 

Environment

• Qlik Cloud Analytics

Qlik Sense Enterprise on Windows can be set up with a central node and multiple rim nodes. See Installing a Qlik Sense rim node.

To remove a rim node at any point after setup:

1. Open the Qlik Sense Enterprise Management Console
2. Go to Nodes
3. Find the rim node you wish to remove 
4. Click Delete

It is now safe to uninstall the Qlik Sense services or decommission the server. When uninstalling, ensure that you select the Remove Qlik Sense certificates and data folders option.

Environment

• Qlik Sense Enterprise on Windows

While Qlik Cloud provides robust data connectivity options through the Data Movement Gateway, some organizations require additional controls to restrict access to the Qlik Cloud Talend platform itself, not only to data connections. 

While Qlik Cloud does not currently support full tenant-level access restriction via PrivateLink, it does offer:

• IP-based access control via Web Integrations
• Strong authentication and security policies
• Gateway-based PrivateLink support for data connectivity
• Cryptographically secure gateway communication

This article outlines these available options and limitations for securing tenant access at the platform level.

Content

• Does Qlik Cloud support IP Allowlist for tenant access?
• Are there network-level restrictions available for accessing the Qlik Cloud tenant?
• What are the available options for securing tenant access beyond standard authentication?
• Understanding Gateway Security Architecture
• Future Plans

Does Qlik Cloud support IP Allowlist for tenant access?

Yes. Qlik Cloud supports IP allowlisting through Web Integrations, which can be configured to restrict access to the tenant based on specific IP addresses.

See Managing web integrations for details.

Are there network-level restrictions available for accessing the Qlik Cloud tenant?

Qlik Talend Data Integration supports private connections for tenant-level access. Does Qlik Cloud support a similar, solution, such as Azure or AWS PrivateLink?

No, Qlik Cloud does not support Azure PrivateLink for tenant-level access in the same way Talend Cloud does.

• In Qlik Talend Data Integration, PrivateLink can be used to restrict access to the entire tenant.
• In Qlik Cloud, PrivateLink is supported only for data connectivity via a customer-managed gateway.
• The gateway acts as the endpoint for PrivateLink, but it does not restrict access to the Qlik Cloud web interface.
• See Support private connections in Qlik Talend Data Integration for details.

What are the available options for securing tenant access beyond standard authentication?

Qlik Cloud offers several security features for tenant access:

• Multi-Factor Authentication (MFA)
• OAuth
• Content Security Policy (CSP)
• API Keys
• Web Integrations (IP Allowlist)

See Securing the system.

Understanding Gateway Security Architecture

When using the Data Movement Gateway, Qlik Cloud ensures secure communication through a multi-step cryptographic process:

1. Key Generation & Registration:
   
   Upon installation, the gateway generates a private/public key pair and a key ID (kid). The public key and key ID are registered in Qlik Cloud by the tenant admin.
   
   
2. Secure WebSocket Establishment:
   
   
   1. The gateway initiates a TLS-secured WebSocket (WSS) connection to Qlik Cloud.
   2. During this handshake:
      
      
      • The gateway verifies QCS’s certificate.
      • Qlik Cloud verifies the JWT sent by the gateway, ensuring it includes the correct key ID and is signed with the gateway’s private key.
      • This confirms a cryptographic match to the registered public key and key ID.
        
        
3. Channel Key Derivation:
    
   • Both sides generate ECDH key pairs and exchange secrets.
   • A channel key is derived and used to encrypt all traffic over the WebSocket.
   • This key is re-derived upon reconnection or restart, ensuring session-level encryption.

This architecture ensures that all data movement operations are secure, authenticated, and encrypted end-to-end.

Future Plans

If full tenant isolation via PrivateLink is a critical requirement, please submit a feature request via Qlik Ideation.

Environment

• Qlik Cloud
• Qlik Talend Data Integration

After upgrading to Remote Engine 2.13.13, when enabling the option to execute a job from Studio on a remote engine, the process fails due to SSL and PKCS-related errors.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

SSL Configuration for Talend Studio to Connect with Remote Engine

1. Retain the Keystore and Truststore Passwords Generated During Installation

   During the installation of Talend Remote Engine, SSL credentials are automatically generated. To retrieve the keystore password, execute the following command:

   cat /opt/TalendRemoteEngine/bin/sysenv

   and locate the line

   TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD=<PASSWORD>

2. Required Keystore and Truststore Files

   The following files are necessary for secure communication between Talend Studio and the Remote Engine:

   /opt/TalendRemoteEngine/etc/keystores/jobserver-client-keystore.p12
   /opt/TalendRemoteEngine/etc/keystores/jobserver-client-truststore.p12 (Truststore file added with RE 2.13.13)

   Transfer these files to your Talend Studio workstation and store them in a dedicated folder.

3. Configure Talend Studio to Use SSL

   Edit the Studio startup configuration file, depending on your operating system:

   • For Linux (x86_64): studio/Talend-Studio-linux-gtk-x86_64.ini
   • For ARM architecture: studio/Talend-Studio-gtk-aarch64.ini  
   • For Windows: Talend-Studio-win-x86_64.ini
4. Add the following JVM options to the configuration file, and adjust the file paths and password values accordingly:

       -Dorg.talend.remote.client.ssl.force=true
       -Dorg.talend.remote.client.ssl.keyStore=path_to_keystore/jobserver-client-keystore.p12
       -Dorg.talend.remote.client.ssl.keyStoreType=PKCS12
       -Dorg.talend.remote.client.ssl.keyStorePassword=<password_from_step_1>
       -Dorg.talend.remote.client.ssl.keyPassword=<password_from_step_1><
       -Dorg.talend.remote.client.ssl.trustStore=path_to_truststore/jobserver-client-truststore.p12
       -Dorg.talend.remote.client.ssl.trustStoreType=PKCS12
       -Dorg.talend.remote.client.ssl.trustStorePassword=<password_from_step_1>
       -Dorg.talend.remote.client.ssl.disablePeerTrust=false
       -Dorg.talend.remote.client.ssl.enabled.protocols=TLSv1.2,TLSv1.3
      

Cause 

Talend Remote Engine enforces SSL communication by default, ensuring that all interactions with the engine are encrypted. If Studio does not have the appropriate certificates installed, it will be unable to establish a secure connection with the Remote Engine.

Environment

• Talend Studio 
• Talend Cloud 

Node.js comes bundled with Qlik Sense Enterprise on Windows. Its version depends on the Qlik Sense released currently installed.

How do I know which version of node.js is used by Qlik Sense?

You can verify the version of any of the third-party integrations Qlik Sense makes use of by:

• Using the Qlik Sense API and calling About Service API: thirdParty: Get, which returns details including information about copyright, version, licensing, and legal notices.
• Accessing the below URL in a browser, where qlikserver.domain.local is replaced with your Qlik Sense server hostname:
  

  https://qlikserver.domain.local/api/about/v1/thirdParty

How do I upgrade my version of node.js is used by Qlik Sense?

You may want to upgrade node.js, specifically in response to a security vulnerability. To do so, upgrade Qlik Sense Enterprise on Windows. When upgrading Qlik Sense, the currently installed node.exe will be replaced with the version Qlik Sense comes bundled with at this release.

Can I install or upgrade a separately installed instance of node.js?

Installing Qlik Sense installs node.exe side-by-side in the following location: C:\Program Files\Qlik\Sense\ServiceDispatcher\Node.

If you install node.js manually it will typically be installed in C:\Program Files\nodejs and the Windows environment variable will point to this location by default (i.e. running node -v to get the version will result in providing the version of node found in C:\Program Files\nodejs).

As Qlik Sense will not register any Windows environment variable for node.js, it will not tamper with any settings affecting already installed node.js instances. Therefore it is safe to upgrade your separate instance of Node.js.

Environment

• Qlik Sense Enterprise all versions

Related Content

Third-party and middleware software integrated with Qlik Sense Enterprise on Windows 

Qlik Direct Access Gateway (DAG) is shown as disconnected. 

The Windows server's time lags behind the Qlik Cloud tenant's timezone. 

Resolution

Address the time difference by aligning the Windows server's clock. If necessary, align it to a standard NTP service. 

Cause

Misaligned time. Without alignment, Qlik Direct Access Gateway will disconnect.

Environment

• Qlik Direct Access Gateway
• Qlik Cloud Analytics

In processing step, under Lineage, you may unable to select the "Allow Lineage collection of this task" check box to enable it when creating  or editing your task in Talend Management Console.

Resolution

To verify your Qlik Talend Cloud License Type

1. Open the Qlik Talend Management Console
2. Go to Subscriptions Tab
3. Go to License Type

Cause

The reason of "Allow Lineage collection of this task" option is not visible when creating tasks in Qlik Talend Management Console is due to the type of license currently in use. The Lineage feature is only available with the Qlik Talend Cloud Enterprise Edition or Qlik Talend Cloud Premium Edition licenses.

Related Content

For more details please find the links below

• Enabling-lineage-collection
• Subscription-options-QTC.htm

Environment

• Talend Cloud 
• Talend Studio 

Leasing a license to the QlikView Desktop client with a custom user fails. 

Resolution

To set up QlikView to lease a license to a custom user, allow license leasing for DMS mode:

1. On the Windows Host running QlikView Desktop, browse to  C:\Users\USERNAME\AppData\Roaming\QlikTech\QlikView
2. Open the settings.ini in a text editor of your choice (as administrator)
3. Add the following parameter and value:
      
             SupportLeaseLicenseForDMSMode=1
   
   See How to change the settings.ini in QlikView Desktop for details.
4. Open the QlikView AccessPoint using QlikView Desktop and lease a license
   
   See How to lease a license in QlikView with DMS mode enabled for reference. 

If adding SupportLeaseLicenseForDMSMode=1 does not work:

1. On the QlikView server, browse to /ProgramData/QlikTech/
2. Rename the LicenseService folder to, for example, LicenseService_old
3. Open the QlikView Management Console
4. Navigate to System > License > Choose your QlikView Server's license
5. Click Apply License 
6. Open the QlikView AccessPoint using QlikView Desktop and lease a license
   
   See How to lease a license in QlikView with DMS mode enabled for reference. 

Internal Investigation ID(s)

QV-24037

Environment

• QlikView

When creating a Log Stream Staging task in Qlik Replicate, Qlik Enterprise Manager (QEM) may report an Express license restriction:

Express license: Running a task with 'Log Stream Staging' is not supported [1021616]

This can happen if the wrong license was registered in Qlik Enterprise Manager. Checking and re-registering the correct license in Qlik Enterprise Manager fixes the problem.

Resolution

To resolve this issue, re-register the correct Replication Management license in Qlik Enterprise Manager (QEM):

1. In Qlik Enterprise Manager, click the Gear (Settings) icon.
2. Select the Licenses tab.
3. Open the Replication Management sub-tab.
4. Verify the license properties. If they do not match the expected license (for example, the expiration date differs from other environments), click Register License.
5. Paste in the correct license text and register it.
6. Confirm that the license details update correctly.

Cause

Qlik Enterprise Manager maintains its own licenses for different modules (Replication Management and Replication Analytics). In this case, the incorrect license was applied under the Replication Management module for the prod Qlik Replicate server. As a result, Qlik Enterprise Manager interpreted the environment as running with an Express license.

Environment

• Qlik Enterprise Manager
• Qlik Replicate

A deployed 8.0.1 Talend Administration Center instance is bundled with Apache Tomcat 9.0.91. This Tomcat version has been flagged as being impacted by CVE-2025-24813.

Resolution

At this time, CVE-2025-24813 does not apply to the Talend Administration Center (TAC) webapp. The reason Talend Administration Center is not impacted at this time, is because Tomcat installed with Talend Administration Center has disabled the "Writes enabled for the default servlet" option (disabled by default); A prerequisite for being suspectable to an attack would be to have that setting enabled.

While the Talend Administration Center webapp itself is not impacted by the CVE, if users desire to remove those vulnerable jars removed from security scans (whether due to preference, security audit, or other considerations), users have the following options to pursue:

• If the current Tomcat instance that hosts Talend Administration Center 8.0 is version 9.0.x, users can upgrade Tomcat to 9.0.100 or higher.
• If the current Tomcat is using 10.1.34 or a prior version, users can upgrade Tomcat to at least 10.1.40 (or higher) and patch the TAC instance to QTAC-969.

Please note if users plan to upgrade Talend Administration Center from TPS-5552 or earlier (Using Tomcat 9) to QTAC-969 or higher for TAC 8.0, the recommended path would be to  deploy both Apache Tomcat 10.1.40 (or higher) and Java 17 to address this release. (One recommended option is to completely reinstall Tomcat & Talend Administration Center with the new installer and point to the new DB).

If users manually deploy Tomcat 10.1.40 (or a later version) alongside the Talend Administration Center to an instance, and wish to verify that the aforementioned flag(s) are disabled, kindly inspect the "web.xml" file located in (<Root Folder>/apache-tomcat/conf). Proceed to approximately lines 124-135, and examine the following configuration for the "org.apache.catalina.servlets.DefaultServlet":

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>
          org.apache.catalina.servlets.DefaultServlet
    </servlet-class>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1<load-on-startup>
</servlet>

The example shown above illustrates that the value is set to "false", signifying that it is write-enabled. If users want that functionality disabled, change the "param-value" flag to false, save the changes, and subsequently restart Tomcat (either via the start/stop bat/sh script, or with the service).

Internal Investigation ID(s) 

QTAC-918

Environment

• Talend Administration Center 8.0.1